A Modern, Holistic Approach to Third-Party Risk Management

December 6, 2021

  • Third-party risk management (TPRM) is a newer term that describes vendor risk management.
  • The Optiv approach focuses on protecting client data, internal or customer, when it may be accessed, provided to or processed by third-party vendors.
  • Effective TPRM is iterative and emphasizes leading practices over “best practices.”


First in a series.


In this series, Dr. Stuart Broderick from our risk management practice explains the threats, issues and pitfalls associated with managing third-party organizations and discusses the actions necessary to limit risk.


Third-party risk management (TPRM) is:


  • an increasingly complex problem facing most companies and their customers;
  • a slick operational process when it works flawlessly – and an omnishambles when it doesn't;
  • a management necessity with enterprise-wide requirements and impacts.


Each post will consider one of the above statements and focus on how it affects the organization, its customers, operations, IT, and information.



Third-Party Risk Management, Part I

Third parties are used by virtually every organization, whether it’s to provide materials or parts to produce goods, purchase completed goods to resell, supply temporary staff or support the organization with needed services. In all cases, these entities pose business risks; CISOs and their teams must understand how it spans the business and when or if it includes the organization's data, IT, and information security teams.


If the third party needs to share, provide or interact with your data or your customer data, your risk exposure may significantly increase.



What is Third-Party Risk Management and Why Is It important?

Third-party risk management is the “new” name for what, in decades past, was termed vendor risk management, vendor management, supply chain risk management or supplier risk management. TPRM is a focused subset of enterprise risk management that identifies and reduces risks when third parties are leveraged to perform specific tasks. These entities include vendors, suppliers, partners, contractors, and service providers.


Our TPRM approach specifically addresses the risks third parties pose to an organization’s information. Programs should help the organization understand, monitor and manage how it interacts with selected third parties and what safeguards are necessary to protect its data, and this includes its customer and other vendor data. These measures are implemented by the organization or its third parties, and sometimes both.


Many TPRM practices apply to all organizations, but it’s likely each has nuances unique to them or their vertical.


TPRM’s importance boomed as organizations increasingly embraced outsourcing in the early 2000s. The COVID-19 pandemic made TPRM the center of attention, as many organizations are totally dependent on third parties – so much so, in fact, that their operations might implode if one or more critical third parties were to fail (or introduce levels of risk that the organization wasn’t able to cope with).


In fact, more than 50% of data breaches over the last two years trace back to a third party – whether directly or via a breach of the third party that made it a stepping-stone to the primary contracting organization.


Today, outsourcing is central to modern business. It provides a solution to talent and resource shortages, increasing infrastructure costs and more. It’s sometimes less expensive for a business to outsource activities to a cloud provider, for example, but associated risks still remain with the original contracting organization.


The biggest risk, and one that many organizations don't fully recognize, is that they still bear full responsibility for their data, regardless of who’s using, processing, or storing it on their behalf. This means the organization is vulnerable even if it isn’t managing third-party risk. Therefore, TPRM is essential – especially for publicly traded businesses.


Consider the following third-party scenarios and how they’d impact your organization:


Third-Party Event Potential Consequences
Cloud provider goes offline and your website
is down for an unacceptable duration
Online sales plummet until the site is restored
Core cloud-based applications go offline or are
Standard business operations become
untrustworthy, unavailable, use incorrect data
A component supplier for one of your core
vendors can’t get parts to make vital
equipment your organization needs (today,
some organizations are experiencing difficulties
with IT because they cannot source specific
Some or all of your operations halt; you may not
be able to deliver goods or services (including
information-related services)
Your core logistics third party is compromised
(perhaps by ransomware) and can’t ship your
goods, doesn't know where goods are in
transit, can't tell you when they'll know, and/or
can’t provide firm delivery dates.
Supply chain disruption, including billing


These are just a sampling of the risks your organization may be exposed to. Can you minimize them? Absolutely, but probably not to zero; there will never be a panacea that eliminates all third-party risk.



TPRM Programs Are Not a Silver Bullet That Eliminates Third-Party Risk

Go in fear of “best practices.” This term can lull us into a false sense of security because best does not mean perfect. Perfect practices would require all client and third-party orgs to fully understand their challenges and have flawless risk mitigation solutions in place that work every time. This isn’t reality and won’t be anytime soon, if ever. Why? Because the threat landscape is continually changing – as in, daily.


The best and safest TPRM programs are designed and built using “leading practices.” These are the best we have today, and they may require updates next week, next month, next year – it depends on how the unpredictable threat landscape evolves.


Ransomware is arguably the most dangerous threat most organizations face today, but most have only really been aware of it for perhaps five or six years. The first case of ransomware happened in 1989 as a localized attack, then became a pro-level threat in 2013. Since then, it has steadily gotten worse. Today a ransomware attack happens every three to five seconds somewhere across the globe. It has become a pandemic and shows no signs of slowing down.


What Is Ransomware?

Ransomware is a malicious malware that locks users/administrators out of their devices or blocks access to files until a sum of money or ransom is paid. Ransomware attacks often cause downtime, data loss and possible intellectual property theft. Ransomware can be obvious or stealthy; it can have instant impact or delay consequences for hours, days, months or even longer. Average recovery time is more than 20 days and payment of the ransom is no guarantee you can recover your data.


US victims are paying an average of $6,312,190 in 2021. (Source)


If your organization had a “best-practices” TPRM program in 2010, would it have protected you against a ransomware attack by a third-party? No. But a leading practices TPRM program is subject to regular reviews and updates and should have protected you. I say “should” and not “would” because there can be no guarantee it would stop the first attack if no defenses had been identified.



TPRM Program Leading Practices

A TPRM program is a complex combination of organizational processes and often supporting technologies that automate some aspects of these procedures. Some of these technologies run in-house and some demand resources that are more cost-effective when provided by a third-party. As a result, there are dozens of leading practices that an organization should adopt in its TPRM program.


For the purposes of this series, we'll focus on the top three leading practices that have proven most beneficial for our clients’ programs.


  1. Assign responsibility and accountability for the TPRM program: Recognize that TPRM is not a one-department solution – it extends beyond simple consideration of each third party;
  2. Categorize vendors: Recognize that not all vendors are the same and don’t expose your organization to the same level of risk;
  3. Ongoing TPRM program management – optimize, automate, and periodically refresh: Recognize that your TPRM program isn’t static and can benefit from automation to reduce your workload; it will need periodic review and refresh as the third-party threat landscape evolves.


These leading practices will be discussed as the series continues.

Dr. Broderick is a Technical Manager in Optiv’s strategy and risk management practice and is responsible for development and delivery of multiple security assessment. security program development, and other services to Optiv clients. Having worked in the IT and Information Security industry for over 35 years, he’s deeply experienced in all aspects of information security and how it affects businesses of all sizes and in all sectors.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.